Required to have separate router and firewall devices - Recommendation?

Hello everyone. In order to meet a certain requirement, several of my sites must have a "separate router and firewall." The modem provided by the ISP does not meet the router requirement simply because it's owned by the ISP. We have already invested in FortiGate 60D routers, and we have VPN enabled on them, so a double-natted connection is not really an option. What's worse is that there are Intrusion Protection, and logging requirements, which we have solved using the FortiGate licensing, so it needs to be acting as the firewall.

I'm sure I could just get a router, configure a static route it in and put it in front of the FortiGate, but I don't see the point of it. Traffic would just pass straight through the router - it wouldn't be "routing" traffic, that's what the NAT firewall does.

Perhaps I'm missing something; has anybody had to meet this requirement before? Is it possible to have a separate NAT router with no firewall functions that then leads to a firewall and have it actually work? I would think this would stifle security due to the amount of control you would lose when it comes to the NAT itself.
Clay FoodyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Does it specify that the router must be outside the firewall?

I've seen problems fairly frequently by folks using the firewall as the default gateway for their internal network.  Then they add a new subnet and suddenly connections start to fail.
Similarly, I've seen problems when the firewall is the edge device, and then they have a need to add a backup Internet connection.  Most firewalls are great as security devices, but suck at figuring out the optimal route, or detecting outages.
Clay FoodyAuthor Commented:
This is a very small business - we're talking about 5 employees, so there's no need for subnetting or failover internet.

This separate router and firewall hardware requirement is due to an upcoming federal regulation that applies to the type of business they're doing.

Has anyone successfully separated a NAT router from a security firewall without running into routing issues and dropped connections? Again, the FortiGate is the device they've spent money on with licensing add-ons including the VPN and two-factor RSA keychains, etc.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Many times; that shouldn't be a problem.

I suggest a decent quality router, like a Cisco 2911.  Just create a 1-to-1 NAT rule for the FortiGate, and some basic security settings on the router (preventing SSH and the like) and it should run just fine.

But a basic NAT device will do pretty much the same thing, if they can't afford the Cisco 2911.
Clay FoodyAuthor Commented:
I'm not sure I understand. Would I be creating a rule for the entire range of IP addresses on the internet to be directed to the Fortigate's WAN IP?
Currently your Fortigate has an Internet accessible address.

If you place it behind a router, it will have a private IP address.

The NAT rule is to create a public IP address that is translated to the private IP address on the Fortigate.
Clay FoodyAuthor Commented:
But how does web traffic find its way back the originating computer that requested the webpage if the NAT takes place before the Fortigate?
Same way it does now, except it will be double NAT'd instead of NAT'd only one time.

Each security device will have it's own NAT table, and the traffic translation will be handled appropriately at each hop.
To actually answer your questions
"Is it possible to have a separate NAT router with no firewall functions that then leads to a firewall and have it actually work? I would think this would stifle security due to the amount of control you would lose when it comes to the NAT itself. "

Yes, its very possible and in fact, somewhat recommended even.
This does not stifle security, but rather, adds to it since you have a layered security approach. The NAT border router merely hides the IP address, and then the Fortinet, in your case can accomplish the UTM functions including basic stateful fw functions behind the router.
Although the Fortigate is a very capable routing device for such a small task, however, the best and easiest way to utilize it in your scenario is to set it up in transparent mode so it becomes a L2 bump in the wire, and then routing issues are no longer an issue since you are required to have a router anyway. There is no good reason to double NAT here which is ugly and creates a troubleshooting nightmare.

Let me know if this makes sense to you or if you need any further insight,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
There is a second option. Many of these regulations are actually requirements for separate Logical devices, and not physical devices. Without the specifics for your regulatory and compliance requirements, I cant tell you if this answer would be sufficient, but it is for many PCI and HIPPA organizations That I ahve worked with:

FortiGate firewalls have a feature called Virtual Domains, which can be used to split the firewall into 2 separate logical devices. FortiGate 60Ds have a default license for 10 Virtual Domains being available. The regulation's requirement is quite often imposed so that 2 different individuals control network security (security Team) and network routing(Network Team) If you are just doing basic static routing to the internet, you could theoretically just do your NAT control on a virtual domain connected to your ISP router, and do all of your firewall policies on the internal virtual domain, thereby saving you from introducing essentially a second peice of single-point-of-failure. The connection between the 2 VDOMs (virtual domains) is then either a network cable run between two interfaces connecting the two vdoms, or you can use a feature called Inter-vdom links.

the fortinet virtual domain adminsitration guide has a lot more detail in much specific quantities than i can provide in a single post.
Such a small envrionment does not necesitate virtual domains. This is only used for mutliple organizations with different management plains. Think of the VDOMs as separate logical firewalls. PCI nor HIPPA would require this frankly...lets not overcomplicate this. We only deploy VDOMs for large multi-tenant type environments.
Clay FoodyAuthor Commented:
This is what we wound up doing and it's working.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.